19 comments

[ 3.2 ms ] story [ 58.5 ms ] thread
Flagged out of front page though.
Huh, I wonder why. Because it seems my submission is being penalized for being submitted hours before it hit the general media.
Agreed, the password it has for me is not my Gmail password, but one that I've used to sign up for various junk accounts using the email address.
The problem with such lists is that plenty of people will use the same password they used on website 'x' with their gmail account. So don't be surprised if a whole pile of these actually will work with the listed gmail address.
Right, but there is a least a chance that the email:password combos are wrong, even if the email is valid.
WARNING: This is probably fake and a scam. If you ctrl + f you are giving away your account name to the site which can be done with some simple javascript.

There was a talk about that a while back. And the username can then be used for a bruteforce attack. News companies need to stop being so dumb and reporting on these fake hacks.

https://canary.pw/view/?item=13221ab1721254808546bd068b6cd47...

https://canary.pw/view/?item=1bc5b34811b50f3fbce06cb55088372...

https://canary.pw/view/?item=87ecceaf19b0187e901e15c5bc8f8a9...

Canary is still chewing through the dataset I fed it and figuring out where they all relate (if at all), but so far it seems that some of the data is as old as January 2014. This is likely not from Gmail itself but perhaps a collection of other leaks.

Interestingly I have one hit for my gmail on isleaked.

Looking at that link I see freebiejeebies, which if I check in keepass I created an account for in 2008 with a unique password (as I tended to back then, even for throwaways).

Sure enough the first two characters match that reported by isleaked (Though case doesn't match..)

Having gone through the majority of the other entries in keepass, that is the only password starting with the two reported characters.

So can safely say freebiejeebies was compromised at some point.

Now to work out why I'd have an account on there in the first place ;)

wouldn't the passwords be hashed? or are these passwords captured through other means like trojans?
According to the article, they never managed to hack into Google's database. This just looks like a large accumulation of user info from phishing.
Anybody have the raw data?
Look at dead comments in other submission.
(comment deleted)
Me too. My password is in the dataset, but it's one I've never used with my Google account. It's my "low-security" password that I use on sites that I don't really care about.
One of my throwaway gmail's is in the leak, the password matches the password I gave at devicescape.com